Computer Fraud Provision of Crime Policy Does Not Cover Loss from Business Email Compromise and Social Engineering Scheme

October 24, 2016

Applying Texas law, the United States Court of Appeals for the Fifth Circuit has held that a business email compromise loss involving social engineering did not “result[] directly from the use of any computer to fraudulently cause a transfer” and thus did not trigger Computer Fraud coverage under a commercial crime insurance policy.  Apache Corp. v. Great American Ins. Co., 2016 WL 6090901 (5th Cir. Oct. 18, 2016)

In March 2013, the insured, a large oil and gas exploration and production company, received a telephone call from a person identifying herself as a representative of one of the insured’s legitimate vendors.  The caller instructed the insured to change the account information for its payments to that vendor.  The insured’s employee replied that the request could not be processed without a formal request on the company’s letterhead, and a week later, the insured received an email from a similar, but inauthentic, domain name – that had been created by the criminals to send a fraudulent email.  The email included an attachment with instructions on the vendor’s letterhead to change its account information.  The insured subsequently paid legitimate invoices from the vendor, albeit to the bank account belonging to the fraudster.  While the company was able to recover some of the $7 million paid to the fraudster’s account, it failed to recover approximately $2.4 million.

The insured then sought coverage under the “Computer Fraud” provision of its crime insurance policy.  In relevant part, that provision covered “loss of, and loss from damage to, money, securities and other property resulting directly from the use of any computer to fraudulently cause a transfer.”  The insurer denied coverage on the grounds that the insured’s “loss did not result directly from the use of a computer nor did the use of a computer cause the transfer of funds.”  A coverage dispute ensued, and the district court granted summary judgment in favor of the insured after ruling that the fraudulent email was a “substantial factor” in the scheme.  In so doing, the court rejected the argument that coverage under the policy was limited to losses caused by computer hacking.

On appeal, the Fifth Circuit reversed the decision and rendered judgment for the insurer.  The court recognized a “cross-jurisdictional uniformity in declining to extend coverage when the fraudulent transfer was the result of other events and not directly by the computer use,” and it found that authority persuasive.  The court determined that the “computer use” at issue here “was an email with instructions to change a vendor’s payment information.”  While the court acknowledged that the use of “email was part of the scheme[,] … the email was merely incidental to the occurrence of the authorized transfer of money.”  The court further noted that “[t]o interpret the computer-fraud provision as reaching any fraudulent scheme in which an email communication was part of the process would … convert the computer-fraud provision to one for general fraud.”  On that basis, the court ruled that the business email compromise loss caused through social engineering did not “result[] directly from the use of any computer to fraudulently cause a transfer.”

Tags

Wiley Executive Summary

Sign up for updates

Wiley Rein LLP Cookie Preference Center

Your Privacy

When you visit our website, we use cookies on your browser to collect information. The information collected might relate to you, your preferences, or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. For more information about how we use Cookies, please see our Privacy Policy.

Strictly Necessary Cookies

Always Active

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.

Functional Cookies

Always Active

Some functions of the site require remembering user choices, for example your cookie preference, or keyword search highlighting. These do not store any personal information.

Form Submissions

Always Active

When submitting your data, for example on a contact form or event registration, a cookie might be used to monitor the state of your submission across pages.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek